Two 14-year-old Canadian boys almost got into trouble last Wednesday, but somebody wrote them a nice note explaining that they were late getting back from lunch because they had hacked the bejeezus out of an ATM.

The note began thusly:

Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting [Bank of Montreal] with security.

According to the Winnipeg Sun, the two ninth-graders came across an old ATM operators manual online that showed how to get into the machine's operator mode.

So on Wednesday, over their lunch hour, they thought they'd give it a go.

They went to the Bank of Montreal's (BMO's) ATM at the Safeway on Grant Avenue in Winnipeg. Much to their surprise, the dusty old manual's instructions worked.

When the ATM asked for a password, they plugged in the first lame-o, six-character groaner of a bad password that popped into their heads.

That worked, too.

Much to the boys' white-hat credit, they then marched right over to a nearby bank branch to let them know.

Staff's response: no way.

Boys' response: yes, way.

And then, they proved it.

Here's how, as Hewlett described it to the Winnipeg Sun:

We both went back to the ATM and I got into the operator mode again. Then I started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges.

Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.

Then, just for fun, and, well, for the sake of accuracy, Hewlett changed the ATM's greeting from "Welcome to the BMO ATM" to "Go away. This ATM has been hacked."

They printed out six documents for BMO, and this time, staff took them seriously.

BMO sent an email statement on Friday in which Ralph Marranca, director of media relations, said the bank was aware of the incident and had taken steps that block unauthorized access.

From the statement sent to the Winnipeg Sun:

Customer information and accounts and the contents of the ATM were never at risk and are secure.

What's the takeaway? To keep manuals under lock and key, most assuredly, for one.

And o, by the way, surely there shouldn't be any way for anyone to access anything other than the public-facing functionality through the public facing terminal?

Naked Security has written scads of "DON'T HARDWIRE PASSWORDS!" and "DON'T INCLUDE BACKDOORS!" stories.

If the 14-year-olds' attack was based on magic sequences that shouldn't be publicly available, that's the same sort of failing.

This isn't the first time that hardwired passwords and backdoors have let attackers into the juicy guts of an ATM, mind you.

As this clip (YouTube video) shows, some guy (who presumably got away with it!) in the US state of Virginia punched in a secret code that told the ATM that its stack of $20 bills were actually $5 bills.

He went on a profitable little spree, asking for multiple $250 withdrawals that each netted him $1,000, according to CNN.

What reason is there to have a magical sequence that let him do that?

Then too, the late, great firmware hacker Barnaby Jack famously concocted his "Jackpot" program, which goaded two ATMs into spitting out money on demand - as well as snitching sensitive data off of people's bank cards - on stage at the 2010 Black Hat conference.

Jack had a couple ways to, ahem, avoid transaction fees. One was with a homemade rootkit that let him override the machines' firmware.

He dialed up the machines - at the time, he said that he believed a large number of ATMs have remote management tools that can be accessed over a phone - and then launched the attack.

Again, what reason is there to have a backdoor like that without securing it?

Here are just a few places where they've have been found lurking like so many cyber cockroaches:

Inside the horrifically hacked Target, where a shabbily coded service process with a hardwired password conveniently let crooks move data around once they were inside the network.

Internet-enabled cameras with the two-character password *? used as a hardwired backdoor password to the camera's real-time video stream.

D-Link routers with a hardwired master key that lets anyone in through an unsupervised back door.

A hard-wired Bluetooth pairing PIN (the default password being, duh, 0000) in an Android app used to control a toilet. As Trustwave researchers gravely warned at the time, the backdoor would allow an attacker to cause all sorts of flushing mayhem, to trigger lids to snap closed on people where the sun don't shine, or to flip on spontaneous bidet or air-dry functions.

14 Responses to 14-year-olds find manual online, hack an ATM during their school lunch hour

One might be surprised at the number of companies who are way too lazy to even change the default account details before rolling out a produce. Hats off to these youngsters for reporting it than letting some criminals benefiting from it.

"To keep manuals under lock and key, most assuredly, for one. " Really? Isn't that an unrealistic aim, and as Juamei suggests, a call for security by obscurity.

In the sort term that may be worth attempting for a bank with currently deployed ATMs, but when buying new ATM systems I'd imagine it would be better to demand that there's nothing in the manual that needs to be kept secret.

Keeping the manuals locked away is security through obscurity. In practice it is worst because it encourages not changing default passwords.
Most banks purchase commercial off the shelf ATM's from vendors. There are only a handful world wide that make them and all would have their manuals floating around. This is common sense.
The manual is absolutely NOT the master key. It is the 'system'.

It is negligent to leave an ATM with a default password; it must be assumed that an attacker knows how to access the operator menu.

Kerckhoffs's principle states this secret PIN, and not the ability to use the it, provides security.

I agree with what all of you meant (I think). But, I would add something more: Banks (etc.) need to treat technical and vanilla manuals differently depending upon what's in them. Essentially, the manuals should be treated as data, and evaluated as to sensitivity.

Ones with sensitive information should be hidden, AND should serve as a call-to-action against the ATMs referenced by that manual. The risks caused by the existence of the manual need to be fixed in the hardware.

The ones that have no sensitivity issues should be put out in public. Why public? So that the people doing the sensitivity checking have no illusions that they're protected by being hidden.

This is similar to the email rule all should follow: When writing emails, expect that everything you write will be plastered on billboards, because it's NOT secure. If you don't like that possibility, then don't write it. (Or, find a secure way to deliver it.)

Locking up the manual in this case is NOT security. The article states that the manual was found online. Proper disposal of sensitive documents shoukd be a part of every company's security posture. In this case, who knows how the manual came to be online, bur someone dropped the ball.

My apologies for that remark about locking up the manual. Mark put out that suggestion when we were thinking the master password was in the manual somewhere, as he said, but I didn't edit it out once I learned that the boys actually made a random password guess. I should have.

Whoever designed the ATM was an idiot. A real ATM, like the type installed by banks, will usually have a strong room built around it and there is no public access to the service area behind it.
This sounds like one of those third-party ATMs that are usually installed next to the vending machines.. They're not secure and I wouldn't trust them with my banking anyway. (they're really just another kind of vending machine anyway.)

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.